Friendly, non-invasive Microsoft (NGC)

**WhiteFeather** · April 29th, 2008, 01:24 PM

Could this be also used against gun owners with post in forums like this?

http://seattletimes.nwsource.com/htm...msftlaw29.html

Microsoft device helps police pluck evidence from cyberscene of crime

By Benjamin J. Romano

Seattle Times technology reporter

Microsoft has developed a small plug-in device that investigators can use to
quickly extract forensic data from computers that may have been used in
crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is
a USB "thumb drive" that was quietly distributed to a handful of
law-enforcement agencies last June. Microsoft General Counsel Brad Smith
described its use to the 350 law-enforcement experts attending a company
conference Monday.

The device contains 150 commands that can dramatically cut the time it takes
to gather digital evidence, which is becoming more important in real-world
crime, as well as cybercrime. It can decrypt passwords and analyze a
computer's Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically
involves disconnecting from a network, turning off the power and potentially
losing data. Instead, the investigator can scan for evidence on site.

More than 2,000 officers in 15 countries, including Poland, the Philippines,
Germany, New Zealand and the United States, are using the device, which
Microsoft provides free.

"These are things that we invest substantial resources in, but not from the
perspective of selling to make money," Smith said in an interview. "We're
doing this to help ensure that the Internet stays safe."

Law-enforcement officials from agencies in 35 countries are in Redmond this
week to talk about how technology can help fight crime. Microsoft held a
similar event in 2006. Discussions there led to the creation of COFEE.

Smith compared the Internet of today to London and other Industrial
Revolution cities in the early 1800s. As people flocked from small
communities where everyone knew each other, an anonymity emerged in the
cities and a rise in crime followed.

The social aspects of Web 2.0 are like "new digital cities," Smith said.
Publishers, interested in creating huge audiences to sell advertising, let
people participate anonymously.

That's allowing "criminals to infiltrate the community, become part of the
conversation and persuade people to part with personal information," Smith
said.

Children are particularly at risk to anonymous predators or those with false
identities. "Criminals seek to win a child's confidence in cyberspace and
meet in real space," Smith cautioned.

Expertise and technology like COFEE are needed to investigate cybercrime,
and, increasingly, real-world crimes.

"So many of our crimes today, just as our lives, involve the Internet and
other digital evidence," said Lisa Johnson, who heads the Special Assault
Unit in the King County Prosecuting Attorney's Office.

A suspect's online activities can corroborate a crime or dispel an alibi,
she said.

The 35 individual law-enforcement agencies in King County, for example,
don't have the resources to investigate the explosion of digital evidence
they seize, said Johnson, who attended the conference.

"They might even choose not to seize it because they don't know what to do
with it," she said. "... We've kind of equated it to asking specific
law-enforcement agencies to do their own DNA analysis. You can't possibly do
that."

Johnson said the prosecutor's office, the Washington Attorney General's
Office and Microsoft are working on a proposal to the Legislature to fund
computer forensic crime labs.

Microsoft also got credit for other public-private partnerships around law
enforcement.

Jean-Michel Louboutin, Interpol's executive director of police services,
said only 10 of 50 African countries have dedicated cybercrime investigative
units.

"The digital divide is no exaggeration," he told the conference. "Even in
countries with dedicated cybercrime units, expertise is often too scarce."

He credited Microsoft for helping Interpol develop training materials and
international databases used to prevent child abuse.

Smith acknowledged Microsoft's efforts are not purely altruistic. It
benefits from selling collaboration software and other technology to
law-enforcement agencies, just like everybody else, he said.

**SteveXD** · April 29th, 2008, 02:03 PM

I tried googling it to find more information, but it was only available on small news sites. All which give the same article.

I think that this is a false item. This is a HUGE security issue if they allowed something like this to get out. I know that many software companies work directly with the military to allow certain exploits, but they all have clearance...

O' Crap it is real!!!
http://www.microsoft.com/presspass/f...CrantonQA.mspx

**LorDiego01** · April 29th, 2008, 02:33 PM

There is always Linux.

**awkx** · April 29th, 2008, 03:54 PM

I see three possible attack vectors that this USB device might use:

Designate the snooping program as the "auto-run" program for the USB thumbdrive. This doesn't require any special hardware, and in fact any programmer can easily do this by themselves. By default, MS Windows will automatically execute an "auto-run" program on a CD, USB drive, or other removable media. You can turn this "feature" off, and in fact I would strongly recommend doing so.
Develop malicious hardware that grabs data from memory using Direct Memory Access (DMA). IIRC, USB devices can use DMA to directly access system memory without going through the computer's central processor (CPU). DMA improves performance, but it can also create security holes in this case.
There's also the possibility that Microsoft deliberately created a backdoor in their OS. I personally doubt that this is true, because Microsoft would know that such a backdoor could easily be exploited by hackers, but it is still a possibility.

**netw0rkpenguin** · April 29th, 2008, 04:31 PM

Any time you are fucking around with a hard drive without first making a forensically sound image using a lab tested and approved method you are 1) risking your evidense being thrown out at the preliminary hearing 2) taking away recourse from those accused.

There have been some good direct memmory access exploits released that use the firewire port, lets you muck around with a system even if its logged, even grab the SAM._ file for offline cracking etc etc. Good luck making any evidense stick, might be a great dirty investigative tool. If you read the list of countries, many of those countries do not have the same kind of rights as USA citizens. If you want to make a criminal case against someone or high end corporate case you are using EnCase or Coroners Toolkit (the linux toolkit not bone saw kind).

Now that being said if that kit ever becomes public it would be trivial to release tons of exploits that would fuck with results if its run on your machine, kind of like 'special' file systems to take down EnCase and halt image acquisition.